Skip to content
  • Analysts
  • Contact Us
  • Services

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Analysts
  • Contact Us
  • Services
Friday, August 19, 2022
BumbleBee Roasts Its Way to Domain Admin
adfind bumblebee cobaltstrike Kerberoast ShareFinder

BumbleBee Roasts Its Way to Domain Admin

August 8, 2022

In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group … Read More

SELECT XMRig FROM SQLServer
coinminer exploit

SELECT XMRig FROM SQLServer

July 11, 2022

In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner … Read More

SANS Ransomware Summit 2022, Can You Detect This?
Conference

SANS Ransomware Summit 2022, Can You Detect This?

June 16, 2022

This report is a companion to the SANS Ransomware Summit 2022 “Can You Detect This” presentation today 6/16/22 @ 14:40 UTC (10:40 AM ET). Slides: SANS Ransomware Summit 2022 – … Read More

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
CVE-2021-44077 Exfiltrate Data exploit Plink

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration

June 6, 2022

In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the … Read More

SEO Poisoning – A Gootloader Story
cobaltstrike gootloader lazagne psexec

SEO Poisoning – A Gootloader Story

May 9, 2022

In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense … Read More

Quantum Ransomware
adfind cobaltstrike icedid psexec quantum ransomware

Quantum Ransomware

April 25, 2022

In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for … Read More

Stolen Images Campaign Ends in Conti Ransomware
adfind cobaltstrike conti exploit icedid ransomware

Stolen Images Campaign Ends in Conti Ransomware

April 4, 2022

In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered … Read More

APT35 Automates Initial Access Using ProxyShell
APT35 exploit Fast Reverse Proxy ProxyShell

APT35 Automates Initial Access Using ProxyShell

March 21, 2022

In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks … Read More

2021 Year In Review
Uncategorized

2021 Year In Review

March 7, 2022

As we come to the end of the first quarter of 2022, we want to take some time to look back over our cases from 2021, in aggregate, and look … Read More

Qbot and Zerologon Lead To Full Domain Compromise
adfind cobaltstrike Qbot

Qbot and Zerologon Lead To Full Domain Compromise

February 21, 2022

In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot … Read More

Posts navigation

1 2 … 6 Next

Translate

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Follow us on Twitter

My Tweets

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Proudly powered by WordPress | Theme: FreeNews | By ThemeSpiral.com.